On May 6th, popular satirical news site the Onion became the latest victim in a series of Twitter account hacks by a group called the Syrian Electronic Army. Their regular tweets to farcical articles and funny videos were replaced with politically-tinged messages as well as “The Syrian Electronic Army Was Here.”

In recent weeks, the group has managed to hack NPR, the Associated Press, the Guardian and CBS, among others. So how have they been able to gain access to these social media accounts? The Onion’s tech team has explained in a blog post how it happened to them and offered 4 tips for social media security.

Three Simple Phishing Techniques

An example of the phishing email that fooled Onion employees. Screenshot by the Onion Inc. Tech Blog on Github.

Ultimately, the hackers used three different methods to phish the Google Apps accounts of Onion employees. They started off by sending phishing emails which used a link disguised as a Washington Post article to prompt employees to enter their Google Apps credentials (including passwords). This gained them access to the account of at least one employee who entered their information.

The second method involved sending further phishing emails from that one employee’s account. These emails gained more traction since they were sent by a staff member trusted by his or her peers.

The Syrian Electronic Army hacked the Onion’s Twitter account using three simple phishing techniques. Screenshot by Vice.

At this point the tech team found out that accounts had been compromised and sent an email to all employees asking that they change their passwords. The hackers then mimicked that security email and included a link to a phishing page disguised as a password reset, which at least two employees filled out. In total, 5 Google Apps accounts were compromised through the three phishing schemes.

With all of the credentials they gathered using these techniques, the Syrian Electronic Army was able to gain control of the Onion’s Twitter account and send out several Tweets. A company-wide password reset was ultimately used to resolve the issue.

4 Tips from the Onion’s tech team

The Onion’s tech team concluded that the hackers’ methods were very basic and could be prevented with a few simple security measures. The four measures they suggest are, word for word, as follows:

“Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.”

“The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).”

“All twitter activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.”

“If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.”

Well, thanks for the patently obvious! Problem is, even us tech-heads get caught out, so there is little hope for the non-cognoscenti. My really worry - seriously - is when the phishers and scammers start to use proper English. Then I fear we are royally screwed!

I did this to an entire class when I was in school- they almost all signed in to a phony Yahoo log in page I emailed out and effectively gave me their passwords. I deleted them all but not until after they felt dumb for making such an obvious mistake.

Does no one actually look at the address bar before signing in somewhere?